Detect Data from Local System in Sumo Logic CSE
Adversaries may search local system sources, such as file systems, configuration files, local databases, and process memory to find files of interest and sensitive data prior to Exfiltration. Adversaries commonly target credential stores (Windows DPAPI, browser databases, SSH keys), corporate documents (Office files, PDFs), and system databases (Active Directory NTDS.dit, SAM hive) using command interpreters, native OS utilities like esentutl.exe and robocopy.exe, or custom malware. Observed threat actors include Kimsuky (document theft), HAFNIUM (data collection post-exploitation), LAPSUS$ (credential and file theft for extortion), and malware families such as QakBot (esentutl for browser credential extraction) and BADNEWS (recursive crawl for Office/PDF files).
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1005 Data from Local System
- Canonical reference
- https://attack.mitre.org/techniques/T1005/
Sumo Detection Query
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where !(isEmpty(%"event_id") AND isEmpty(EventCode))
| if (!isEmpty(%"event_id"), %"event_id", EventCode) as event_code
| where event_code in ("1", "11", "23")
| parse regex "<Data Name=\"Image\">(?<process_image>[^<]+)" nodrop
| parse regex "<Data Name=\"CommandLine\">(?<cmdline>[^<]+)" nodrop
| parse regex "<Data Name=\"TargetFilename\">(?<target_file>[^<]+)" nodrop
| parse regex "<Data Name=\"User\">(?<event_user>[^<]+)" nodrop
| parse regex "<Data Name=\"ParentImage\">(?<parent_image>[^<]+)" nodrop
| parse regex "<Data Name=\"Computer\">(?<src_host>[^<]+)" nodrop
| if (isEmpty(process_image), %"process.executable", process_image) as process_image
| if (isEmpty(cmdline), %"process.command_line", cmdline) as cmdline
| if (isEmpty(target_file), %"file.path", target_file) as target_file
| toLowercase(process_image) as img_lower
| toLowercase(cmdline) as cmd_lower
| toLowercase(target_file) as tgt_lower
| if (matches(img_lower, "*esentutl.exe*")
AND (matches(cmd_lower, "*ntds*") OR matches(cmd_lower, "*.dit*")
OR matches(cmd_lower, "*login data*") OR matches(cmd_lower, "*cookies*")
OR matches(cmd_lower, "*/y *") OR matches(cmd_lower, "*/vss*")), 1, 0) as is_esentutl
| if ((matches(img_lower, "*cmd.exe*") OR matches(img_lower, "*powershell.exe*")
OR matches(img_lower, "*pwsh.exe*") OR matches(img_lower, "*wscript.exe*")
OR matches(img_lower, "*cscript.exe*") OR matches(img_lower, "*mshta.exe*"))
AND (matches(cmd_lower, "*.ssh*") OR matches(cmd_lower, "*id_rsa*")
OR matches(cmd_lower, "*id_ed25519*") OR matches(cmd_lower, "*credentials*")
OR matches(cmd_lower, "*protect*") OR matches(cmd_lower, "*login data*")
OR matches(cmd_lower, "*ntds.dit*") OR matches(cmd_lower, "*.kdbx*")
OR matches(cmd_lower, "*filezilla*") OR matches(cmd_lower, "*recentservers*")
OR matches(cmd_lower, "*winscp.ini*") OR matches(cmd_lower, "*.pst*")
OR matches(cmd_lower, "*.ost*")), 1, 0) as is_sensitive_path_cli
| if ((matches(img_lower, "*powershell.exe*") OR matches(img_lower, "*pwsh.exe*"))
AND (matches(cmd_lower, "*get-childitem*recurse*") OR matches(cmd_lower, "*gci*recurse*")
OR matches(cmd_lower, "*gci*-r *") OR matches(cmd_lower, "*dir /s*")
OR matches(cmd_lower, "*tree /f*") OR matches(cmd_lower, "*compress-archive*"))
AND (matches(cmd_lower, "*.pdf*") OR matches(cmd_lower, "*.docx*")
OR matches(cmd_lower, "*.xlsx*") OR matches(cmd_lower, "*.pptx*")
OR matches(cmd_lower, "*.pfx*") OR matches(cmd_lower, "*.pem*")
OR matches(cmd_lower, "*.key*") OR matches(cmd_lower, "*.kdbx*")
OR matches(cmd_lower, "*.pst*")), 1, 0) as is_bulk_enum
| if ((matches(img_lower, "*robocopy.exe*") OR matches(img_lower, "*xcopy.exe*"))
AND (matches(cmd_lower, "*.ssh*") OR matches(cmd_lower, "*credential*")
OR matches(cmd_lower, "*protect*") OR matches(cmd_lower, "*\sam*")
OR matches(cmd_lower, "*ntds*") OR matches(cmd_lower, "*.kdbx*")
OR matches(cmd_lower, "*filezilla*")), 1, 0) as is_bulk_copy
| if ((event_code in ("11","23"))
AND (matches(tgt_lower, "*microsoft\credentials*")
OR matches(tgt_lower, "*microsoft\protect*")
OR (matches(tgt_lower, "*.ssh*")
AND (matches(tgt_lower, "*id_rsa*") OR matches(tgt_lower, "*id_ed25519*") OR matches(tgt_lower, "*id_ecdsa*")))
OR matches(tgt_lower, "*google\chrome*login data*")
OR matches(tgt_lower, "*microsoft\edge*login data*")
OR matches(tgt_lower, "*firefox*logins.json*")
OR matches(tgt_lower, "*firefox*key4.db*")
OR matches(tgt_lower, "*system32\config\sam*")
OR matches(tgt_lower, "*system32\config\system*")
OR matches(tgt_lower, "*system32\config\security*")
OR matches(tgt_lower, "*ntds.dit*")
OR matches(tgt_lower, "*.kdbx*")
OR matches(tgt_lower, "*filezilla*recentservers.xml*")
OR matches(tgt_lower, "*winscp.ini*")), 1, 0) as is_sensitive_file
| (is_esentutl + is_sensitive_path_cli + is_bulk_enum + is_bulk_copy + is_sensitive_file) as suspicion_score
| where suspicion_score > 0
| if (is_esentutl = 1, "ESE Database Extraction (esentutl)",
if (is_bulk_enum = 1, "PowerShell Recursive Bulk Enumeration",
if (is_sensitive_file = 1, "Sensitive Credential/Data File Access or Staging",
if (is_sensitive_path_cli = 1, "CLI Access to Sensitive Credential Path",
if (is_bulk_copy = 1, "Bulk Copy Tool Targeting Sensitive Paths", "Unknown"))))) as signal_reason
| if (event_code = "1", "ProcessCreate",
if (event_code = "11", "FileCreate",
if (event_code = "23", "FileDeleteArchived", "Other"))) as event_type
| fields _messagetime, src_host, event_user, process_image, cmdline, target_file, parent_image, event_type, signal_reason, suspicion_score
| sort by _messagetime descSumo Logic query for Sysmon-sourced Windows telemetry detecting T1005 Data from Local System. Parses raw Sysmon XML fields (Image, CommandLine, TargetFilename, User, ParentImage) from EventCode 1 (ProcessCreate), 11 (FileCreate), and 23 (FileDeleteArchived). Applies a five-signal suspicion scoring model identical to the reference SPL: esentutl ESE extraction, sensitive-path CLI access, PowerShell recursive enumeration, bulk copy tool abuse, and direct sensitive file access/staging. Handles both raw XML Sysmon events and normalized ECS-style fields from Elastic/Winlogbeat forwarders. Returns scored results sorted by most recent first.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled backup jobs from enterprise backup agents (Veeam, Acronis, Windows Server Backup) running under SYSTEM or dedicated backup service accounts legitimately read NTDS.dit via VSS, registry hives, and user credential directories — baseline suspicion_score events against backup maintenance windows
- Developer workstations with SSH key generation tooling or Git clients performing authorized key operations produce .ssh path and id_rsa filename matches — correlate with developer machine asset group and expected Git activity
- Security operations scripts for credential auditing (e.g., AD password health checks, automated CyberArk onboarding) often use PowerShell recursion combined with sensitive path keywords — validate against authorized pentest or SOC tooling inventory
Other platforms for T1005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Recursive Document Collection via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', '-Recurse', and file extension patterns. Sysmon Event ID 11: FileCreate for df00tech-filelist.csv in %TEMP%. PowerShell ScriptBlock Log Event ID 4104 showing the full collection script. File access events (if SACL auditing enabled, Security Event ID 4663) for each document accessed during enumeration.
- Test 2Browser Credential Database Extraction via esentutl
Expected signal: Sysmon Event ID 1: Process Create for esentutl.exe with CommandLine containing '/y', 'Login Data', '/d', and '/o' flags. Sysmon Event ID 11: FileCreate for df00tech-logindata.db in %TEMP%. Security Event ID 4688 (if command line auditing enabled) capturing the full esentutl command. File access event on the Chrome Login Data file path.
- Test 3SSH Private Key Collection
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '.ssh' and 'copy' and 'id_rsa'. Sysmon Event ID 11: FileCreate for both the test key file in .ssh and the copied file in %TEMP%. DeviceFileEvents (MDE): FileCreated action on .ssh directory path with id_rsa in filename, initiating process cmd.exe. Security Event ID 4663 on the .ssh directory if SACL auditing is enabled.
- Test 4Windows DPAPI Credential Store Enumeration
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'dir /s /b' and 'Microsoft\Credentials'. Security Event ID 4688 (if command line auditing enabled). If SACL auditing is configured on the Credentials directory, Security Event ID 4663 for directory access. DeviceProcessEvents (MDE) will capture the command with full path context.
References (10)
- https://attack.mitre.org/techniques/T1005/
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://symantec-enterprise-blogs.security.com/threat-intelligence/troll-stealer-lazarus-macos
- https://redcanary.com/threat-detection-report/techniques/t1005/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.kaspersky.com/blog/qakbot-malware-analysis/43132/
Unlock Pro Content
Get the full detection package for T1005 including response playbook, investigation guide, and atomic red team tests.